ietf-smime
[Top] [All Lists]

Re: [smime] Message takeover attacks against S/MIME

2016-01-29 08:47:02
If the only thing we need to do is add AES-GCM, then the obvious venue is 
CURDLE. 
But we do need to do something soon because S/MIME is loosing deployment 
support. It isn't in the new Microsoft platform mail system, it is virtually 
unusable in iOS, it is absent in the Android client and it takes 30 minutes to 
configure Thuinderbird. That would not worry me if OpenPGP was filling the gap 
but it is not.
If we are going to get working end to end secure mail, several things have to 
happen:
1) Stop the S/MIME vs OpenPGP standards battle. The GNU code and most of the 
other libraries for OpenPGP support S/MIME. They have to do PKIX for SMTP 
STARTLS, S/MIME is a minor extra burden.
The choice of message infrastructure should not determine the choice of the 
trust infrastructure. It is not possible to solve every trust problem with 
either PKIX or Web of Trust or direct trust via fingerprints.
2) We have to have up to date specifications for the end-to-end message formats 
that define a consistent modern crypto suite. [CURDLE]
3) We have to work out how to make end to end mail work properly with Web Mail 
4) Configuration of the clients has to be absolutely painless. Which is what I 
designed the Mathematical Mesh to address. Use cryptography to solve the 
problem of making computers easier to use.
I am just redoing my podcast demonstrating the Mesh, the sound on the first one 
doesn't meet my standards.

If people want to look at what I have done and then do the same thing 
completely differently, that is fine with me as long as they do it, deploy it 
and it works as well. But given that I am using a completely modern, 
fashionable set of standards (HTTP/1.1, JSON, JOSE, CURDLE) and none of this 
requires a CA, I can't see it likely people would want to make that sort of 
change.
It does need review though. And deployment. The killer app for the Mesh can't 
be secure email because there isn't much value to a system that reaches 0.1% of 
Internet users (combined user as of OpenPGP and S/MIME). But most people would 
like to have an easy, robust and really secure way to manage SSH keys, most 
people would like an easy way to encrypt their data in the cloud and pretty 
much everyone is fed up with having to remember passwords for 100 web sites. 
All those benefits are immediate regardless of whether anyone else buys in.
The Mesh itself is an untrustworthy service, this is a completely end to end 
protocol. The user is in direct and full control of all their data at all times.

Sent from Outlook Mobile

    _____________________________
From: Peter Gutmann <pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz>
Sent: Thursday, January 28, 2016 11:37 PM
Subject: Re: [smime] Message takeover attacks against S/MIME
To: Russ Housley <housley(_at_)vigilsec(_dot_)com>, IETF SMIME 
<smime(_at_)ietf(_dot_)org>


Russ Housley <housley(_at_)vigilsec(_dot_)com> writes:

Take a look at this article: http://cryptosource.de/posts/smime_mta_en.html

Is there interest in updating the S/MIME specification to use authenticated-
encryption?

It looks like a pretty contrived attack, you need to be able to truncate a
message, both at the start and end, on a 16-byte boundary to turn a signed
message into a plain, unsigned one, and still have the client accept the
result as a valid message.  They found one client that does that, but that
sounds more like a buggy client than a major problem (none of the others did
it).

In any case the fix should be pretty minimal, if anything is required at all:
If the SMIMECaps in the cert you're encrypting for indicates authEnc, use
that.  My code already does that and possibly other impementations do too.

Peter.
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime



  
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime